This comment doesn't make sense. All attacks are not equal. Some require physical access; some do not. Some require seed data; some do not. What exactly are you talking about here?
This is why security people are so frustrating to talk to; you only talk in extremes.
> Rather than worry about whether or not a practical attack already or will one day exist, I'd use cryptography that hasn't been shown to be broken.
That's not what I'm worried about. I'm worried about given that they do exist what is the risk to me? What is the likelihood that my account has been broken into?
>This comment doesn't make sense. All attacks are not equal. Some require physical access; some do not. Some require seed data; some do not. What exactly are you talking about here?
I'm not a security expert, more of a hobbyist. So I'll let someone else quantify potential specifics. To my understanding, they would not require physical access and would be able to guess any passwords generated (once an attack has been found/created).
>That's not what I'm worried about. I'm worried about given that they do exist what is the risk to me? What is the likelihood that my account has been broken into?
The chances of 0 becoming 1 are not quantifiable because it requires knowing unknowns. It is, however, non-zero. For a small list of unknowns:
1) Who knows about the attack
2) How practical is the attack?
3) What software/websites/people are they choosing to attack
4) Are you even using any of the software/websites that are being attacked?
5) Are they going to accept cracking <10%~ accounts if they can do so in <24 hours or is their goal to crack >50%~ accounts? Many crackers only care to scrape the bottom of a barrel. What are the chances you were in the part of the barrel they scraped?
I assume the worst because being compromised is a zero-sum game. I've been compromised or I haven't. Therefore my variables are:
Everyone. Extremely. Only things I use. Of course. Doesn't matter, I'm in the targeted group.
I wouldn't make any bets on security through obscurity.
Getting my reddit account hacked is not the end of my life. Hell, getting my bank account hacked is not the end of my life. I don't want those things to happen, I will take precautions to prevent it.
But too often security people talk as though it's the only thing I should care about. And it's not, I care about other things too, to varying degrees.
So, to make an informed decision, I need to know more than just that Math.random() is insecure. Knowing that an attack wouldn't require physical access is the type of information I'm interested in. So thank you for that.
I understand completely. I feel most people's threat models stop even before 'threat has physical access'. The chances of both your computer being stolen and the person who stole it being tech-savvy enough [0] to break into things may as well be 0 for anyone who isn't the target of a state actor or working in a security field. At that point the only people who care are the people who care about security or slim chances like that occurring. :)
[0] Or the thief selling it to someone who is tech savvy enough. Still practically 0 for most everyone.
This is why security people are so frustrating to talk to; you only talk in extremes.
> Rather than worry about whether or not a practical attack already or will one day exist, I'd use cryptography that hasn't been shown to be broken.
That's not what I'm worried about. I'm worried about given that they do exist what is the risk to me? What is the likelihood that my account has been broken into?